Security in Mobile application

Before we dive deep into security, we should understand what security is and why we need them. Security in layman terms is safety from the surrounding. We can observe that we are secured by so many factors like our atmosphere making us secure from harmful rays of the sun, the human body works in a way that it protects from harmful bacteria and viruses, and the government works to ensure every citizen has their fundamental rights and equal opportunity.

In the same way, while developing any application, making it secure should be the topmost priority for any Business. The level of security provided in an application is dependent on the type of application like a banking application must have the highest level of security because no one wants an unknown person to have fun with their hard-earned money. To make an application secure requires to have at least to include all processes or features that we are going to discuss in this article and upcoming article.

To include all in one blog would be a difficult task for me, also this will make it a very large blog. So I am dividing this into 4-articles. You can have access to all articles as:

Security in Mobile application part1(Certificate Pinning)

Security in Mobile application part2(Jailbreak Devices)

Security in Mobile application part3(Multi-factor Authentication)

This blog is for the purpose of making sure that the client and server have a secure connection. So I am focusing only on making client-server connections secure.

Whenever we discuss communication, we directly head ourselves to HTTPS. Yes, you get it right, this is going to be the topic for this blog and we are going to cover the points below in this article.

• What are HTTP and HTTPS
• What’s make HTTPS more secure
• Detail understanding of HTTPS

What are HTTP and HTTPS:

Definition wise HTTP stands for Hyper text transfer protocol and HTTPS stands for Hyper text transfer protocol secure. The “secure” added in the HTTPS is all we need and forced us to choose HTTPS over HTTP.

What’s make HTTPS more secure:

In HTTPS, the “s” added is stood for security. So with this understanding, HTTP is a protocol for sending requests and receiving responses. This request and response are in plain text format and can be easily traceable. While HTTPS is similar to HTTP with some extra encryption added from TLS/SSL.

HTTPS itself is very secure and by itself using HTTPS makes one application secure. But, wait, if that’s the case then why should we need to work on anything else when we can simply include HTTPS. If you are thinking the same then there are ways to ditch HTTPS as well which we will discuss in our upcoming blogs. Let’s first understand how HTTPS works and what makes it more secure in detail.

Detail understanding of HTTPS:

As we stated earlier, HTTPS is HTTP with encryption by using TLS/SSL. TLS is Transport Layer Security and SSL is secure socket layer. SSL is already deprecated so we will not discuss SSL. The current version of TLS being used is TLS v1.3 which we will discuss in detail.

Working of Transport Layer Security:-

TLS works on public and private key concepts. For a better understanding of TLS, let’s assume there is one client(iOS or Android Device) which is trying to make a connection with the server. Before making a connection and starting sharing data first they need to do the handshaking.

Handshaking between client and server:-

Both client and server have one private key and one public key with themselves. At first, when a client tries to make a connection with the server, it sends its public key or a mix of the private and public key (which is very secure and impossible to break) to the server.

For better understanding, let’s assume a client shared a mix of private and public keys which we called mix key. Now the server receives the client’s mix key and adds this key with its own private key which generates a unique key. This unique key is called the secure key. Same what the client had done, now the server sends its mix key and sends it to the client. Clients simply add this server key with its private key which generates another unique/secure key. Now both client and server have a secure key and our handshaking is complete and all communication will happen to encrypt the request and response by using Secure key which was generated at the time of handshaking.

Let’s rewind and rehearse how the client and server end up having the unique key. The process goes like:-

1. Client has one private key and one public key. Client can send either a public key to the server or a mix of private and public key which is impossible to break by any hacker.
2. Client share a mix of private and public keys to the server.
3. The Server has its own private key.
4. Server receives a mix of public and private key from client and adding this key with server’s private key gives one unique/secret key which is used to encrypt the data.
5. Once the server has that unique key, it sends its mix of private and client’s public key to the client.
6. Once a client receives the mix key from the server it also adds these keys with its private key and creates another unique/secret key to encrypt the further communication.

Now both client and server have a secret key so all communication happens will be encrypted by this secret key and the same can be decrypted by the same secret key which makes the overall system very secure.

This was all about the functioning of TSL and how HTTPS uses this to encrypt requests and responses.

Please write your queries and questions or any doubt you have after reading this blog.

Now you must be curious to know how we can trick HTTPS. If you really want to know the possible way to avoid any such scenarios then please visit the article below which is part of our series on Security in Mobile application.

Security in Mobile application 1

That’s all for now😊.